ABSTRACT 


A system and method for quantitatively assessing the 
vulnerability of a computer network, comprised of elementary 
network elements each having at least one host, to external 
attack. The method produces a quantitative assessment that 
is repeatable and can be compared to a quantitative 
assessment of a separate network to determine the relative 
vulnerability of the network. The quantitative assessment is 
a function of the quantitative assessment of each elementary 
network unit, which is derived by classifying each port on 
each host and subsequently determining a quantitative 
vulnerability rating for the elementary network unit in 
accordance with the classification of each port on each 
host . 


